LECTURE - 1

Books
Background
Computer Security / Internet Security
Top-level Issues
Attacks, services and mechanisms
Security attacks
Security services
Methods of Defense
A model for Internetwork Security
Internet standards and RFCs
1
 BOOKS
Stallings William, Cryptography & Network
Security: Principles & Practices,PHI.
Forouzan, Behrouz A., Cryptography &
Network Security, SIE, TMH.
Kahate, Atul, Cryptography & Network
Security, TMH.
 BACKGROUND
Review of Computer Network
Computer Security
Tool Designed
Protect Data
Thwart Hackers
Security affected by
Distributed System
Uses of Networks
Communication Satellites

So, Network Security Needed

To protect data during Transmission
 DEFINITIONS
Computer Security - generic name for the
collection of tools designed to protect data and to
thwart hackers
Network Security - measures to protect data
during their transmission
Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks
 AIM OF COURSE
our focus is on Internet Security
which consists of measures to deter,
prevent, detect, and correct security
violations that involve the transmission &
storage of information
 BACKGROUND (Contd)
Defense in Depth Onion.
Data or Information Security:
SECURITY TRENDS
 Top-level issues
Safety, security and privacy
Security policy
threats, both external and internal
economic gains
cost of securing resources
cryptographic methods vs. physical security
Information security:
nature of resources (H/W, S/W, information)
during storage, access and communication
limited to a single computer vs. network security
various layers (physical through application layers)
 SECURITY SERVICES
Services (or functions) vs. mechanisms
Security functions:
confidentiality
authentication
integrity
non-repudiation
access control
availability
 SECURITY MECHANISMS
To detect, prevent, or recover from a
security attack.
Physical controls
Audit trails: a series of records of computer events
Fraud detection (data mining)
Steganography
Confidentiality / Encryption:
private-key vs. public-key encryption
key generation, exchange, and management
certification
Firewalls
etc.
 Security Goals

Confidentiality

Integrity Avalaibility

February 6, 2017 A K Vatsa 11

 SECURITY THREATS
A Potential for violation of security under different
Circumstances
Capability
Action or Event
Intentional vs. accidental
Various forms of violations:
Non-destructive
Destructive
Repudiation
Denial of service (DOS)
Threat techniques:
crypt-analysis
snooping
masquerading
replay attacks
virus, worms
etc.
 Attacks, Services and Mechanisms
Security Attack: Any action that
compromises the security of information.
It is an Intelligent Threat.
Security Mechanism: A mechanism that is
designed to detect, prevent, or recover from a
security attack.
Security Service: A service that enhances
the security of data processing systems and
information transfers. A security service
makes use of one or more security mechanisms.
February 6, 2017 A K Vatsa 13
 Security Attacks

February 6, 2017 A K Vatsa 14

 Security Attacks (Contd)

Interruption: This is an attack on

availability
Interception: This is an attack on
confidentiality
Modification: This is an attack on
integrity
Fabrication: This is an attack on
authenticity
February 6, 2017 A K Vatsa 15
 TYPES OF ATTACK

1. Passive Attacks

1. Active Attacks
 TYPES OF ATTACK (Contd)

February 6, 2017 A K Vatsa 17

 PASSIVE ATTACKS
(i) Passive Attacks:
Attempt to learn or Make use of information
from the system
But doesnt affect system resources.
It monitors Transmission activity
And obtain information
Passive attacks are in the nature of eavesdropping on,
or monitoring of, transmissions.
The goal of the opponent is to obtain information that
is being transmitted.Two types of passive attacks are
the release of message contents and traffic analysis.
PASSIVE ATTACKS (Contd)
Release of message content
 PASSIVE ATTACKS (Contd)
There are two types of Passive attacks
Release of Message contents:
e.g Telephone conversation, e-mail message, file transfer
etc prevent opponent from learning the contents.
Traffic Analysis:
Masking Contents (i.e. Encryption) so, opponent try to
revel it.
Determine location & Identity of host
Observe frequency and length of message being
exchanged.
Note:
It is very difficult to detect because dont
involve in alteration of data.
So, use prevention rather than detection.
PASSIVE ATTACKS (Contd)
Traffic analysis
 PASSIVE ATTACKS (Contd)

Note:
Passive attacks are very difficult to detect, because
they do not involve any alteration of the data.
Typically, the message traffic is sent and
received in an apparently normal fashion, and neither
the sender nor the receiver is aware that a third party
has read the messages or observed the traffic pattern.
 ACTIVE ATTACK
(ii) Active Attack:
It attempts to alter system resources or affect their
operations.
It involves
Modification of data stream
Creation of false stream
Subdivided into four categories
Masquerade
Replay
Modification of message
Denial of Service (DoS)
 1. MASQUERADE
Masquerade:
One Entity Pretends to be a different entity.
The attacker pretends to be an authorized user of a system in
order to gain access to it or to gain greater privileges than they
are authorized for.
Attempted through the use of stolen logon IDs and passwords,
through finding security gaps in programs, or through
bypassing the authentication mechanism.
Weak authentication
e.g. Once the attacker has been authorized for entry, they may have
full access to the organization's critical data, and may be able to
modify and delete software and data, and make changes to network
configuration and routing information.
MASQUERADE(contd.)
 MASQUERADE (Contd)
Example: IP address, Transit Time delay etc Masquerade
On Linux Machine,
set the timeout values using the ipfwadm command. The general syntax for this is:
ipfwadm -M -s <tcp> <tcpfin> <udp>
The ipfwadm, ipchains, and iptables commands are used to configure the IP
masquerade rules.
following ipfwadm commands are all that are required to make
masquerading work :
# ipfwadm -F -p deny
# ipfwadm -F -a accept -m -S 192.168.1.0/24 -D 0/0
or with ipchains:
# ipchains -P forward -j deny
# ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
or with iptables:
# iptables -t nat -P POSTROUTING DROP
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
MASQUERADE (Contd)
 2. REPLAY
Replay:
Capture of data unit and its subsequent
retransmission to produce unauthorized effect.
A valid data transmission is maliciously or
fraudulently repeated or delayed.
Carried out either by the originator or by an
attacker who intercepts the data and retransmits
it.
e.g For identity password or key , Session
Tokens etc.
 REPLAY (Contd)
Example.
 3. MODIFICATION OF MESSAGE
Modification of message:
Some portion of message is affected.
That messages are delayed or reordered
Produce an unauthorized effect.
Example:
could involve modifying a packet header
address for the purpose of directing it to an unintended destination
modifying the user data for changing contents.
Changing or shuffling packet sequence numbers.
MODIFICATION OF MESSAGE(contd.)
 4. Denial of Service (DoS)
Prevent the normal use or management of
communication services.
a targeted attack on a particular service, incapacitating
attack.
For example,
a network may be flooded with messages that cause a
degradation of service or possibly a complete collapse if a
server shuts down under abnormal loading.
Another example is rapid and repeated requests to a web
server, which bar legitimate access to others.
Denial-of-service attacks are frequently reported for internet-
connected services.
Denial of Service (DoS) (contd.)
Denial of Service (DoS) (Contd)

Data
 Note: Active Attack
complete prevention of active attacks is
unrealistic,
A strategy of detection followed by
recovery is more appropriate.
 Security Services
Confidentiality (privacy)
Authentication (who created or sent the data)
Integrity (has not been altered)
Non-repudiation (the order is final)
Access control (prevent misuse of resources)
Availability (permanence, non-erasure)
Denial of Service Attacks
Virus that deletes files

February 6, 2017 A K Vatsa 36

 Security Services
X.800: Security for OSI (Open Systems Interconnection)
a service provided by a protocol layer of communicating
open systems, which ensures adequate security of the
systems or of data transfers

RFC 2828:
a processing or communication service provided by a system
to give a specific kind of protection to system resources
 OSI Security Architecture
(X.800 Security for Open Systems Interconnection)

OSI Security Architecture

ITU-T Recommendation i.e. X.800.
Focus on Security Services, Mechanism and Attacks.
Service Categories are:
Authentication - assurance that the communicating entity is
the one claimed
Access Control - prevention of the unauthorized use of a
resource
Data Confidentiality protection of data from unauthorized
disclosure
Data Integrity - assurance that data received is as sent by an
authorized entity
Non-Repudiation - protection against denial by one of the
parties in a communication
 Security Mechanisms (X.800)
Specific security mechanisms:
encipherment, digital signatures, access controls,
data integrity, authentication exchange, traffic
padding, routing control, notarization
Pervasive security mechanisms:
trusted functionality, security labels, event
detection, security audit trails, security recovery
 Model For Network Security

February 6, 2017 A K Vatsa 42

 CRYPTOGRAPHY
Tools Provider
Cryptography:
Greek means, Crypto = Secret
Graphy = Way of Writing
Way of secret writing.
Science and art of transforming messages to
make them secure and immune to attacks.
 Components Of Cryptography
Plaintext.
Cipher Text.
Encryption or Enciphering.
Encryption Key.
Encryption Algorithm.
Decryption or Deciphering.
Decryption Key.
Decryption Algorithm.

Cipher or Cryptographic Systems:

Encryption & Decryption Algorithms.
Cryptanalysis:
Breaking codes without knowledge of enciphering details.
Crptology: area of cryptography & Cryptanalysis.
 Design of Cryptography Algorithms
Classified along three independent
dimensions:
The number of keys used
symmetric (single key)- Uses Single Key.
asymmetric (two-keys, or public-key encryption)
The type of operations used for transforming
plaintext to cipher text
Substitution operation: Mapped into another element.
Transposition operation: Rearranged plaintext.
The way in which the plaintext is processed
Stream cipher
Block Cipher

02/06/17 A K Vatsa 45
 Average time required for exhaustive
key search

Key Number of Time required

Size Alternative at 106
(bits) Keys Decryption/s
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years

02/06/17 A K Vatsa 46
 Average time required for
exhaustive key search

Key size Possible no. Time to crack Time to crack (106

of keys (1 encryptions/microsec)
encryption/microsec)

32 109 36 min 2. msec

56 1016 1100 years 10 hrs
128 1038 5 x 1024 years 5 x 1018 years
26 character 1026 6 x 1012 years 6 x 106 years
permutation

February 6, 2017 A K Vatsa 47

 Types Of Cryptography Algorithm
( Base on number of keys )

1. Symmetric Key or Secret Key or Single

Key or private-key or Conventional
cryptographic algorithms.
2. Asymmetric or Public key cryptographic
algorithms.
 Model for Network Access Security

Gatekeeper: password-based login, screening logic

Internal controls: monitor activity, analyse stored info
Model for Network Access Security

using this model requires us to:

1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated
information or resources
trusted computer systems may be useful to
help implement this model
 Internet standards and
RFCs
The Internet society
Internet Architecture Board (IAB)
Internet Engineering Task Force (IETF)
Internet Engineering Steering Group
(IESG)

February 6, 2017 A K Vatsa 51

 Methods of Defence
Encryption
Software Controls (access limitations
in a data base, in operating system
protect each user from other users)
Hardware Controls (smartcard)
Policies (frequent changes of
passwords)
Physical Controls
February 6, 2017 A K Vatsa 52
 Internet RFC Publication
Process

February 6, 2017 A K Vatsa 53

Q&A
The End
&